seL4's implementation is formally (mathematically) proved correct
(bug-free) against its specification, is proved to enforce strong
security properties, and its operations have proved save upper
bounds on their worst-case execution times.